Exam MS-101 topic 1 question 25 discussion

The policy exist, it just needs to be modified and It's now called Microsoft Defender for Cloud Apps https://www.rebeladmin.com/2018/09/step-step-guide-manage-impossible-travel-activity-alert-using-azure-cloud-app-security/

The answer is A. You need to create a new policy specifically for the app. B mentions MODIFYING a policy which means impossible travel already applies to other apps

B is the correct answer The impossible travel detection identifies unusual and impossible user activity between two locations. The activity should be unusual enough to be considered an indicator of compromise and worthy of an alert. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy

I`m going for A, as this question is the same as in MS-100 including the same error. Microsoft hates to change built-in policies. Always go for a new policy.

https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy

I'm going for A, although there is an existing Impossible traffic policy which you can edit, you cannot filter on a specific App there. Only way to do that is to create a new anomaly detection policy with a filter.

https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy Impossible travel

b esta bien

o Microsoft Defender for Cloud Apps, modifique a política de alerta de viagem impossível. Para atender aos requisitos, é necessário configurar a política de alerta de viagem impossível no Microsoft Defender for Cloud Apps. Isso garantirá que o alerta seja gerado apenas para o aplicativo App1. O Controle de Aplicativo de Acesso Condicional deve ser configurado para fornecer informações ao Microsoft Defender for Cloud Apps, que por sua vez gera alertas de acordo com a política definida.

To be alerted by email if impossible travel is detected for a user of App1, you should modify the impossible travel alert policy in Microsoft Defender for Cloud Apps. A is incorrect because creating a Cloud Discovery anomaly detection policy in Microsoft Cloud App Security will not help to generate alerts for impossible travel. Cloud Discovery anomaly detection policy is used to detect anomalous activity in cloud apps.

B would work, you can modify the existing impossible travel alert policy in Defender for Cloud apps, to send an email alert and only alert for app1. That will achieve the question objective. So I’m answering B A is wrong for 2 reasons. Email alerts are set up in Defender for Cloud Apps NOT ‘Cloud App Security and ‘impossible travel’ is an ‘anomaly detection policy’ NOT a ‘Cloud Discovery anomaly detection policy’ So answer is B I wouldn’t actually do that though as it’s editing the in built impossible travel policy and now the only alerts are for app1. But that’s what the question wants you to do I suppose. I would set up a new impossible travel policy to just apply to app1 and set up email alert for that, but cannot currently see how that is done.

Agree, the policy is an available option, it includes impossible travel and can be filtered to an app.

Should be A. Even when renaming, the text of the documentation says that impossible travel is an anomaly *detection* policy, not *alert policy*

I agree with A... But It's now called Microsoft Defender for Cloud Apps (?).